[Q] key vs subkey.

Dennis Lambe Jr. malsyned@cif.rochester.edu
Sun May 11 21:44:03 2003


--=-qelZgHosB+m4C32B+07s
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

> -  What's the difference between the fingerprint and the KeyID?

The KeyID is a short, easy-ish to remember number that (probably)
uniquely identifies your key.  It can be used to specify the key you're
dealing with to gpg commands, and it is the value on which keyservers
index their keys, and by which signatures refer to the key which created
them.

An example KeyID: F53BA904

The Fingerprint is a longer number which also (probably, much more
probably) uniquely identifies your key, with the added property that it
would be cosmically difficult for a man-in-the-middle to generate
another key with the same fingerprint, allowing him to spoof the
authentification and signing of keys.  Fingerprints are treated as
unforgeable proof that two people are talking about the same key,
without them having to read the whole key to eachother.  They are
considered necessary and sufficient for confident signing of keys.  To
see the fingerprint of a key, the command
gpg --fingerprint KeyID
can be used.

An example fingerprint: 580D 265C 0FF3 099B A799  1FC7 FEB2 E4CC F53B
A904

> -  Does only the signing key have a fingerprint?

Any public key has a fingerprint, but only the primary signing key's
fingerprint is usually used, since once the primary key has been
verified, secondary keys that are bound to it by valid signatures can be
trusted.

> -  Which KeyID do I use to generate my public key?
>    I figure it must be the ElGamal one.

The KeyID merely identifies an already-generated key.  If you're talking
about exporting the key, then you can use the key-id, as well as any
unique string of characters in an identity attached to that key.  The
public key consists both of the primary signing key and the encryption
subkey.  Usually, the KeyID of the /signing/ key is used to refer to the
entire key, since the encryption key is expected to be less permanent.

Essentially, you can act as though you were always talking about just
the signing key, and GnuPG will treat any subkeys attached to it as part
of the package.

--Dennis Lambe

--=-qelZgHosB+m4C32B+07s
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: My public key is available at http://cif.rochester.edu/~malsyned/public_key.html

iD8DBQA+vqjK+yh/ThbejSgRAlMiAJwNKhbK8ZYLfwhCbpXRsFAJgzgacgCgg9dn
iDVF/hi0FxhnGtg7/Lfbfuw=
=5b9E
-----END PGP SIGNATURE-----

--=-qelZgHosB+m4C32B+07s--